Security researchers at Skycure have discovered another weakness in smartphone security, and this could impact you despite whatever security measures you’ve taken personally. Most smartphone operating systems, iOS and Android included, offer the ability to “remember” the SSID’s and passwords of Wifi networks you have accessed with your smartphone, and have the ability to automatically connect to that network the next time you are in range. Skycure has alleged that at least one major carrier, if not all of them, are also pre-programming certain SSID’s into phones straight from the factory, ostensibly to provide customers with a convenient connection with carrier-hosted or sponsored Wifi hotspots. For example, AT&T iPhones allegedly are shipping with the “attwifi” SSID preprogrammed into the phone, and will supposedly automatically join that wifi network, presumably in use by AT&T’s retail storefronts, if it comes across it.
Here’s why this is bad: hackers could spoof any SSID that you’ve set your smartphone to remember and autoconnect, and they’ve got a straight shot at your phone. Normally, this wouldn’t be a problem, as this requires guessing what SSIDs are stored on your phone, and then getting close enough to that phone with the spoofed Wifi network. But with the above, it would be trivial to sit in a crowded mall or any high-traffic walkway, scanning for AT&T iPhones, knowing that some, if not all, will autoconnect to a fake “attwifi” SSID without the owner ever being aware that they just got hacked.
What this means for you:
This exploit seems to be fairly new, and though Skycure claims to have seen this happening in the wild, it’s not widespread, yet. The best course of action is to disable the “autoconnect” setting for any wifi network you have used with your mobile device, whether it be smartphone, tablet or laptop. It will mean a few seconds of inconvenience anytime you are out and about and trying to get internet access, but it may mean the difference between keeping your cellphone secure or getting it hacked.
UPDATE: By default, Android phones will store SSIDs and passwords for any wifi network you add to your phone, and will automatically connect to that network whenever it is range. There is NO way to disable the autoconnect functionality built into the native Android settings. However, you can use an app to control automatic connections. I am currently testing this app, which is “free” but ad-supported. I’ve not tested it long enough to give a recommendation, but it does allow you to toggle the autoconnect functionality on or off per hotspot. On iOS devices, the only way to natively disable the “auto-join” feature is to actually connect to one of the pre-defined hotspots, eg. visit a local AT&T store, and then turn “Auto-join” off for that particular network.
In a public event hosted by the Reddit.com, infamous NSA whisteblower Edward Snowden answered questions posted by Reddit users on a variety of topics. Of particular note was his response to a question about whether encrypting emails would be an effective way to keep the NSA (or anyone else, for that matter) out of your business. Snowden’s response was both heartening and depressing at the same time:
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.
What this means for you:
Imagine you want to send a package that contains some very valuable items to a friend on the other side of the world. You carefully wrap the items and then lock them in a briefcase, which is in turn handcuffed to an armored guard, who is then transported via armored truck to your friend’s house. He makes sure that the package is put into your friend’s hands and verifies that your friend is indeed who he says he is, and he even calls you to let you know that the package has been delivered safely. This is analogous to using email encryption to send an email to a friend.
Unfortunately, your friend’s house has a broken lock on the front door, and he carelessly leaves the valuable items in plain view of a window that is also unlocked. That’s analogous to the weak endpoint security Snowden at the end of his response.
In other words, it doesn’t matter how much security you engage on your end if your recipients don’t engage in the same level of security. To use another real-world analogy: cyber attacks are like water – they will flow into every nook and cranny, looking for a way in. It doesn’t matter if 99% of the surface it is covering is impenetrable. That last 1% provides the hairline crack needed to seep in and destroy everything from the inside.
Image courtesy of Stuart Miles / FreeDigitalPhotos.net
There’s a whole lot of spying going on: the US and China continue to bicker over who’s spying on who, and the Washington Post fumbles an early scoop that clearly confuses what may end up being the biggest information leak since the Wikileaks scandal. In the midst of this surveillance brouhaha, the confidential source that triggered the Washington Post story has stepped forward in the form of an IT security analyst employed by the spookiest of spook agencies, the Central Intelligence Agency and the National Security Agency. Based upon the information this whistleblower has provided to news agencies, the American Civil Liberties Union has brought suit against the president, the NSA and Verizon for illegal spying, and more are on the way.
What this means for you:
Though the details are still being argued over, it appears the NSA has had an ongoing warrant with Verizon that has provided them with calling histories for just about any domestic Verizon customer, all under the umbrella of the controversial Patriot Act. Now, before you start worrying if your recorded phone calls will be leaked and become the next YouTube sensation, the information collected is data-based (numbers, times, geographic locations) as opposed to them eavesdropping in on your conversations, Hollywood “listening post”-style. Given the vast computational power the NSA has at its fingertips, this is still amazingly comprehensive, and gives them the ability to very accurately profile any US Verzion customer based upon that history.
Sadly, once again, there’s very little you can do as an individual, other than to write your congressperson, or boycott just about every major telecommunications provider and credit card company out there, because it seems that all of them have been forced to cooperate with the NSA at one point or the other under the Patriot Act. The Wired article also makes a very good point: threats to our security can just as easily come from the inside as the outside. Unfortunately, for all involved, it also demonstrates the trend that trusted insiders can easily become the biggest security breach an organization has ever known.
Have you thought about what access your employees have to confidential information? How much trust have you invested in them? Do you have sufficient controls in place to protect your company from inadvertent security breaches caused by a trusted employee? What if that same employee was to deliberately breach your security?
Apple officially announced the next version of their mobile device operating system at the Worldwide Developer Conference on June 10th. The rumors of a redesigned interface proved to be true, as iOS 7 showed off a completely reskinned interface that features a more muted color scheme with “flattened” elements, a marked departure from the infamous “lickable” buttons and widgets of previous iterations. The new look was also backed by many updates to interface mechanics, expanded multitasking, redesigns of some of the built-in apps, and the launch of Apple’s own streaming music service, a direct competitor of similar services like Spotify, Pandora, and Google’s Music All Access.
What this means for you:
If you have an iPhone 4 or iPad 2 or newer, then the OS update will be automatically pushed out to you when it is released this Fall. Aside from the new look, iPhone users will enjoy the new “control center” function – a slide-up widget that allows you to access commonly used iPhone settings like toggles for Wifi, Bluetooth, Airplane Mode. The expanded multi-tasking capabilities will now grant the ability to all apps to work in the background (iOS 6 restricted this capability to a handful Apple apps only) without significant drains on the battery, so content-based apps can grab content as it becomes available (push-based) versus when requested by the user (pull-based).
If you are an Android user, you may be scratching your head and wondering why it’s taken Apple so long to bring features like the above to the iPhone. To be fair, Apple has been focusing their energy on a foolproof OS, which sometimes means making compromises on capabilities, but with an eroding marketshare and Samsung hot on their heels, the gloves have come off in the smartphone wars. For a full list of features, you can visit Apple’s iOS 7 website.
Proving that sometimes our Congress people come by their paychecks honestly, a bi-partisan privacy caucus led by Joe Barton (Rep. TX) sent a list of questions to Google’s CEO Larry Page, asking him point blank about several privacy issues, including whether or not Google would allow the use of facial recognition technology on the device.
Supposedly, Google has maintained from the start that facial recognition would never be implemented without “strong privacy protections in place.” In a Google+ post Friday, they reiterated this position and stated that Google “…won’t be approving any facial recognition Glassware at this time.”
What this means for you:
By default, Android OS-based devices can only install software via Google’s Play store. Software distributed via Play must go through Google’s approval process, much like apps on Apple’s iTunes store, so you can assume that Google will be true to their word and prevent distribution of facial recognition apps simply by not approving them. However, unlike iPhones, many versions of Android allow “sideloading” of apps with a simple settings change. Sideloading in the Android ecosystem is well established – Amazon.com has an app store that requires sideloading to be enabled, and instructions for enabling this capability are easily found on their website and many, many others.
Bottom line: this is yet another Pandora’s box that won’t be closed. Facial recognition is a reality, and portable, undetectable devices capable of performing this function are only a step away from today’s consumer technology. Technology (and scientific progress in general) advances despite legal or cultural ramifications. One could argue that society only advances in light of controversial technologies like Google Glass. We are only beginning to glimpse the potential of an always connected and much less private world. Google Glass is only one step in a long, uphill climb.
The upcomign Black Hat security conference features a topic that may give traveling iPhone users second thoughts about using a public charging station to juice up their phones. Three security researchers from Georgia Institute of Technology have built a prototype device that can hack an iPhone through the dock connector merely by being plugged in. Supposedly this hack can be accomplished on the latest iOS update, and does not require any interaction from the user, nor does it rely on the device being jailbroken.
What this means for you:
I’ve always viewed public charging stations as being rather sketchy to begin with, especially the ones that charge you for the service and offer “highspeed charging” which could easily fry your phone’s battery if not the device itself. I’d rather spend a few extra minutes locating a regular wall outlet and using my own equipment. Supposedly the prototype that will be demonstrated at the upcoming conference is too big to fit into a standard Apple-branded iPhone charger, but the designers of the device inferred that stealthier versions wouldn’t be hard to produce at all.
Most modern smartphones combine data and power in the same port (Android phones and most tablets also feature this same convenience) so it may not be just iPhones that will be vulnerable to this method of attack. For now, make sure you use chargers you know are safe regardless of what type of mobile device you use, and avoid public charging stations. This particular cow is well on its way out of that barn.
According to the Washington Post, the Pentagon has recently received a report that states that over 2 dozen US weapon systems plans and specifications have been stolen via digital attacks on defense contractor and subcontractor systems. The list of possibly compromised systems include several key military assets such as the FA-18 fighter, the F-35 Joint Strike Fighter, the Black Hawk helicopter and the Patriot Missile. Officially, the Pentagon has downplayed the report, stating that they have no reason to believe the strength or integrity of the military compromised in any way, but Department of Defense officials have said, off record, that there is growing concern that the Pentagon and our government at large are increasingly falling behind in their ability to defend our digital borders from future cyber attacks.
What this means for you:
Regardless of your political leaning, there are few Americans who believe that our government runs a tight ship, and anyone who’s had any dealings with the Federal government knows that for the most part, they are woefully behind in just about every aspect of technology. Poor operational standards and old technology is a recipe for security disaster on a large scale for any business, and the Department of Defense is about as big a business as you can get.
Just like the problem life insurance salespeople face (no one wants to face the fact of dying), many businesses still have not come to grips with the fact that they will have (or already have had) a security breach. Many defense contractors who have lived in the bubble of American military superiority for so long have developed a complacency that is leading to poor decisions and lack of preparation until it is too late. The Chinese military is hungry to tip the scales, and it seems that they have the digital advantage.
Surely your business is more nimble than the Department of Defense. Have you grown complacent and ignored your technology’s security? Wouldn’t you rather do some work ahead of a security breach rather than scrambling to repair the damage?
In a controlled experiment run by technology website ArsTechnica.com, hackers were given a list of over 16000 hashed passwords and asked to try to decipher as many as possible. Not only were they able to crack over 90% of the passwords in about 20 hours, one of them managed to decipher over 60% of the encrypted passwords in less than an hour using a single computer.
To put this into some context, the target list contained passwords of varying lengths and composition, containing both letters, numbers and symbols, and was encrypted using an MD5 Hash. For the uninitiated, “hashing” a password is a one-way encryption method used to store passwords. When you go to log into your password-protected service, the server takes the password you just typed in, “hashes” it, and then compares it to the hashed password it has stored for you, and if they match, you are authenticated. Hashing is commonly used so that if a server is compromised and a list of passwords is downloaded, all the hackers have gained is a list of unencryptable letters and numbers. Of the encryption methods available, “MD5” is very common, because it requires little computational power, something that busy websites want to reserve for other functions.
The hackers in the ArsTechnica project used brute-force dictionary attacks driven by their own hand-built hash source lists, essentially decoding the target list by comparing hashes with lists that contains upwards of a billion combinations of letters, numbers and symbols. The computers used in this exercise were garden-variety workstations capable of processing several million guesses per second using parts easily procured from any computer store. Late last year one of the hackers involved showcased a cluster computer built using the same parts. Designed specifically for cracking passwords, this machine was capable of processing 350 billion hash guesses per second, and if it had been used in the above exercise, would have rendered out the list in a few hours.
What this means for you:
The real intent of ArsTechnica’s exercise was to demonstrate how trivial passwords are in terms of true security, even ones that are traditionally believed to be very strong, e.g. “qeadzcwrsfxv1331”. The hackers involved in the exercise pointed out the controlled nature of the exercise actually limited their ability and efficiency as compared to “real world” scenarios – the fact that they were limited to traditional workstations and were cracking a list about which they had no further information. Typically, crackers will have much more information about the passwords they are attempting to decipher, such as the security rules enforced when the users create them (e.g. 8-14 characters, must contain a letter, number but no symbols, etc.). Even knowing the service or site the passwords were used on will help crackers decipher passwords, as it will often allow them to uncover the encryption method used to hash the passwords.
If you think you are being clever by creating “hard” passwords that are ten characters or longer and interspersed with numbers, there is a statistically high probability that even that combination will be on these brute-force source lists, especially if you use the common substitutions like 3 for “e”, zero for “o” and so on. Computers have become so powerful that cracking even the most complex passwords is really a matter of patience and persistence.
On the flip side, most services we use are secured against brute-force attacks, at least on an account by account basis. No hacker is going to waste his or her time trying to guess your online banking password via the methods described above, as they would get locked out after the 3rd or 4th failed guess. But if they somehow managed to get into the bank’s servers and download a list of hashed passwords (which has been happening to other services quite often), you can bet your password will soon become another statistical probability in some hackers brute-force dictionary list.
A Congressional report authored by California Representative Michael Waxman and Massachusetts Representative Ed Markey publicizes that some United States utility companies are under constant cyberattack. Based upon a survey of 160 utilities, the publication notes that a dozen of the respondents report that they experience “daily, constant or frequent attempted cyber attacks.” Congress and the White House are understandably concerned that hackers could damage the nation’s powergrid, but the utilities say that their security standards are sufficient to protect the systems that keep America’s lights on, and that the attacks suffered by the utilities are no different than the ones that other American businesses and organizations suffer on a regular basis.
What this means for you:
Unless you happen to be a highly placed Security Officer at the North American Electrical Reliability Corporation or a member of the House Energy and Commerce Committee, there’s not much you’ll be able to do personally to prevent cyberterrorists hacking a utility eventually. Many security analysts predict that it’s only a matter of time before a US utility gets hacked, and you may recall a rather hushed-up incident affecting a large Saudi energy company not too long ago.
The real truth of the matter is that most companies, regardless of size, function or even nationality, are being probed and tested on a regular basis. The server that hosts this website experiences dozens (sometimes hundreds) of attacks on a daily basis. Is C2 being targeted specifically? Unlikely, but whether there is specific human intent behind the attacks or not, the fact remains that if (when) one of those automated attacks actually manages to penetrate a weakness, you can bet a human will follow along behind to assess whether the target is worth further hacking, or simply relegated to the growing army of zombified computers that are pointed at more high-value targets. My server doesn’t contain anything important enough to warrant concentrated effort, but you can bet that a compromised utility company server is a high-value target. And when everyone is gunning for you, it can’t dodge bullets forever, no matter how good you think your security is.
Dell, on the tail-end of a dismal earnings report that failed to meet Wall Street’s expectations, has been busily diversifying its product offerings in the face of flagging PC computer sales. The fruit of one of those diversifications is coming from Dell’s recently purchased WYSE division, a manufacturer known most prominently for their thin-client platforms, in the form of an extremely small thin-client that can be plugged directly into the HDMI port of late-model monitors and TV’s to create a “computer on the go.” Dubbed “Ophelia” this device is just slightly larger than a USB flash (nee thumb) drive, and will run the Android 4.0 OS natively, but can also hook into virtualization platforms from industry standards VMWare, Citrix and Microsoft. Expected to arrive in July for developers and the general public this Fall, Ophelia is expected to cost approximately $100.
What this means for you:
More and more businesses are turning to virtualization and cloud-based resources, one of many factors that is contributing to Dell’s weakening PC sales. The purchase of WYSE was a shrewd move, assuming this trend continues, and we don’t see a rebound like the industry saw in the 80’s with it’s first romance with the client-server model. Unlike the first go-round with client-server technology, today’s thin clients are more than powerful enough for the average knowledge worker’s needs while still being easier and cheaper to maintain than a fleet of standard desktops. The move to ultra-portable seems to be a natural next step, given the modern workforce’s growing acceptance of mobility, and may be a much-needed shot in the arm for Dell.
Should you go out and buy one? At $100, it may add another layer of sophistication to your fancy LCD big-screen in the living room, or add a valuable and extremely portable resource to your traveling business kit. It’s still way too early to tell, but basing it on Android will give the device a solid app eco-system that will hopefully prevent it from being just another addition to the drawer of lost technology toys.